hMailserver is an open source Window e-mail server. For incoming e-mail it supports
STARTTLS with the help of OpenSSL 1.1.1.
It allows configuring the cipher suites, the default is:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256: kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384: ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA: DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA: AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA: AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
I wanted to disable
AES256-GCM-SHA384 but after removing it, the cipher suite was still offered for
STARTTLS (according to test site https://internet.nl)
In the end I had to remove
HIGH to stop
AES256-GCM-SHA384 from appearing on
How should I read this OpenSSL configuration setting? On the last line
AES256 are mentioned standalone. Doesn’t this mean that any cipher with
AES256 will be allowed making the long list before that quite redundant?
The same goes for the
HIGH, doesn’t that make mentioning a lot of the other cipher suites redundant?
You tried to disable a mandatory cipher suite for TLS 1.3, while TLS 1.3 was enabled, thus OpenSSL ignored the request.
If you want to disable this cipher suite, you must also disable TLS 1.3 (which it seems you did by removing
You should not be attempting to do this at all. You should instead ask about whatever problem you had that led to this as a possible solution, so that something reasonable can be found. Unless, of course, you really mean to disable TLS 1.3.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.